POLICY: Human Resources - Staff Privacy Policy POLICY URL: https://lsi-ac.uk/policy/40045efc-f4a0-4ed7-81d3-bde1cfdcc9c7 POLICY STATEMENT: Protecting staff privacy is essential to fostering trust, safeguarding individuals, minimising risks, and upholding security; The School is committed to processing personal data, ensuring fairness, transparency, and security while meeting legal and contractual responsibilities, in compliance with Data Protection laws and guided by Information Commissioner’s Office (ICO) standards; This policy sets out the School’s approach to safeguarding staff privacy and ensuring confidentiality through responsible data management. POLICY PRINCIPLES: ------------------ - Confidentiality : Guaranteeing that personal information is kept confidential and secure at all times; - Transparency : Being transparent about the collection, use, and sharing of staff data; - Consent : Requiring explicit consent for the processing of personal data, where necessary; - Legality : Ensuring all data processing activities comply with legal requirements; - Necessity : Collecting only data that is necessary for legitimate educational and operational purposes; - Access : Providing staff with access to their personal data and the right to update or correct it; - Protection : Implementing stringent measures to protect against data breaches and misuse; - Minimal Retention : Keeping personal data for no longer than is needed for its intended purposes; - Responsibility : Making clear the roles and responsibilities in data protection and privacy matters; - Training : Offering ongoing training to staff managing personal data to ensure compliance with this policy; - Rights : Upholding the rights of individuals in line with the General Data Protection Regulation (GDPR) and other applicable laws; - Review : Continually reviewing and updating the policy to reflect changes in data protection laws. REGULATORY CONTEXT: ------------------ This Policy has been developed in line with the applicable laws, regulations, regulatory advice, and sector best practices, including the following: R1. UK Government : Data Protection Act 2018 - Legislation aimed at controlling the processing of personal data, laying down principles with respect to the processing of personal data, and the rights of data subjects R2. Information Commissioner's Office (ICO): Guide for higher education institutions - Provides guidance for higher education providers on their obligations under data protection law. METRICS AND KPIS: ------------------ The following metrics will be measured and regularly reviewed as key performance indicators for the School to ensure the effectiveness of this policy and associated operations: M1. Data Protection Training Completion Rate: Ensure 100% of new staff complete mandatory data protection training within 30 days of joining, and all staff complete annual refresher training. Regular training reinforces awareness and compliance with data protection laws, reducing the risk of data mishandling. M2. Data Retention Compliance Rate: Ensure 100% compliance with the School’s data retention policy by conducting bi-annual reviews of staff data held across all systems. Ensures data is not held longer than necessary, reducing risks of breaches and ensuring legal compliance. M3. Review of Data Protection Procedures: Conduct a comprehensive review of data protection procedures and practices annually, implementing any necessary improvements. Regular reviews help identify areas for improvement and ensure procedures remain effective and up-to-date. SECTION 1: What Information Does the School Collect ------------------ 1.1. Collection and Use of Personal Data During Employment: During employment, the School will collect, store, and process your personal data, including ‘special categories’ like racial or ethnic origin, religious beliefs, health information, sexual orientation, and criminal convictions. Additional data may be collected when employment begins. Specific information collected includes contact details, education and employment history, emergency contacts, email usage, identification photos, CCTV recordings, health details, and criminal conviction data; The School collects personal data to comply with legal obligations, ensure staff and student safety, and provide necessary support and services. Special categories of data are collected for equal opportunities monitoring and fulfilling statutory requirements. Criminal conviction information is used to ensure a safe environment by restricting access to services where necessary. SECTION 2: Why Do We Collect Your Data ------------------ 2.1. Collection of Personal Information: We collect your personal information to support our operations and enhance services and facilities. This data may be collected in various ways:; From information provided when you engage with us before and upon joining; Through communication by phone, email, or our website; During interactions with us throughout your employment; From third-party sources; Collecting personal information enables us to perform our duties effectively, respond to enquiries or concerns, and continually improve our services and facilities. Third-party data helps ensure we have accurate and relevant information for these purposes. SECTION 3: Who has Access to the Data ------------------ 3.1. Disclosure of Personal Information to External Organisations: The School may share your personal information with external organisations to fulfil legal duties, manage operations, or upon your request. These organisations may include:; Government departments (e.g., Home Office, Department of Education); Public bodies and agencies (e.g., HMRC, Health and Safety Executive); Office for Students (OFS) and Office of the Independent Adjudicator (OIA); Programme-accrediting organisations (e.g., BCS); Local Authorities for Council Tax and electoral registration; Police, law enforcement, and safeguarding agencies; Insurers, auditors, and providers of external training placements; Current or prospective employers for references; Third-party support services and IT providers; Crime prevention or detection agencies; Banks and employers upon your request; We will not disclose other personal information without your consent unless necessary for your vital interests (e.g., in an emergency). Anonymised or aggregated data may be shared for purposes like equality benchmarking; Sharing personal information with external organisations ensures the School meets legal obligations, supports its operations, and provides requested services. Sharing data with agencies like police or health authorities may be required for safety, crime prevention, or compliance. Anonymised data helps improve equality and diversity initiatives through benchmarking. SECTION 4: How Do We Use Your Information ------------------ 4.1. Secure Handling and Use of Personal Information: The School securely collects, stores, and processes your personal information in both paper and electronic formats, including databases accessible to academic and professional departments. Access is restricted to authorised staff, contractors, or agents with a legitimate business need within their contractual duties. Personal information is used for:; Managing finances and related funding; Administering facility use and event participation (e.g., building access, libraries, health services); Handling complaints, investigations, and disciplinary matters, including academic misconduct; Fulfilling statutory reporting and monitoring equality legislation compliance; Ensuring health, safety, and wellbeing, including safeguarding and crime prevention; Monitoring compliance with School regulations; Conducting management reporting, research, and statistical analysis; Checking right-to-work status and visa compliance; Communicating work-related information and updates; Inviting participation in research to improve services; Some data may be ‘special categories’ (e.g., race, ethnicity, medical information) for specific purposes like equality monitoring or providing necessary support. Access to such data is strictly controlled under the School's data protection policy managed by the Data Protection Officer; Secure handling of personal data ensures the School meets its academic, legal, and operational responsibilities while safeguarding individual privacy. Controlling access to sensitive information through a robust data protection policy protects against misuse and supports compliance with legal requirements. SECTION 5: How Your Data is Held ------------------ 5.1. Access to Personal Data: Your personal data is stored in our administrative systems and is accessible to authorised staff across the School as needed; Authorised staff access your personal data to manage academic, administrative, and operational activities effectively, ensuring the smooth functioning of School services. SECTION 6: How Long Do We Keep Your Data ------------------ 6.1. Retention of Personal Data and Automated Decision-Making: We may retain your personal data for up to six years after your association with us ends. A core record will be kept indefinitely to provide references and verify your studies. We do not use your personal data for automated decision-making or profiling; Retaining data allows us to confirm your association with the School and provide references when needed. Avoiding automated decision-making ensures decisions about you are made fairly and accurately, without reliance on algorithms that could impact you without human oversight. SECTION 7: Changes to this Privacy Notice ------------------ 7.1. Review of Privacy Notices: We regularly review our privacy notices to ensure they remain accurate and up to date; Regular reviews of privacy notices ensure compliance with legal requirements and reflect any changes in how we manage personal data. SECTION 8: Other Privacy Notices ------------------ 8.1. Protection of Privacy and Additional Notices: We prioritise protecting your privacy. Please note that other privacy notices cover data related to staff, enquiries, applications, current students, alumni, and website use. These notices are available on our website; Different activities within the School require specific privacy notices to ensure all personal data is managed appropriately and transparently. Providing access to these notices ensures you are informed about how your data is handled across different contexts.